On Thursday, as part of the White House response to alleged Russian hacking, the FBI and DHS released a Joint Analysis Report (JAR) called “Grizzly Steppe.” While this report was meant to prove, or at least provide evidence, that the Russian government was involved in hacks of the Democratic Party, experts have stated that it “adds nothing.”

Jeffrey Carr, a cybersecurity consultant, author, and founder of the Suits and Spooks conference, wrote in an analysis that the report merely lists every threat group ever reported on by a commercial cybersecurity company suspected of having ties to Russia, labeling them “Russian Intelligence Services,” without evidence that any such connection exists.

“Unlike Crowdstrike, ESET doesn’t assign APT28/Fancy Bear/Sednit to a Russian Intelligence Service or anyone else for a very simple reason. Once malware is deployed, it is no longer under the control of the hacker who deployed it or the developer who created it,” Carr wrote, adding, “It can be reverse-engineered, copied, modified, shared and redeployed again and again by anyone. In other words — malware deployed is malware enjoyed!”

Carr added that if the White House had unclassified evidence tying Russia to the DNC hack, the evidence would have been made public by now. Since they have not made evidence public, he, like many other members of the intelligence community, believes that it is either classified or it simply does not exist.

“If it’s classified, an independent commission should review it because this entire assignment of blame against the Russian government is looking more and more like a domestic political operation run by the White House that relied heavily on questionable intelligence generated by a for-profit cybersecurity firm with a vested interest in selling ‘attribution-as-a-service,’” Carr stated.

Likewise, Robert M. Lee, a National Cybersecurity Fellow at New America and CEO and founder of cybersecurity company Dragos, published a thorough critique of the JAR, saying it “reads like a poorly done vendor intelligence report stringing together various aspects of attribution without evidence.”

“The list of reported RIS [Russian intelligence services] names includes relevant and specific names such as campaign names, more general and often unrelated malware family names, and extremely broad and non-descriptive classification of capabilities,” Lee wrote. “It was a mixing of data types that didn’t meet any objective in the report and only added confusion as to whether the DHS/FBI knows what they are doing or if they are instead just telling teams in the government ‘contribute anything you have that has been affiliated with Russian activity.’”

Lee explained that it is extremely difficult to identify whether data was sourced from the private sector or from declassified government data.

“It is useful to know what is government data from previously classified sources and what is data from the private sector and more importantly who in the private sector. Organizations will have different trust or confidence levels of the different types of data and where it came from,” Lee said. “Unfortunately, this is entirely missing. The report does not source its data at all. It’s a random collection of information and in that way, is mostly useless.”

Lee, in his critique, detailed that it is important for government reports to detail where data came from, and to separate private-sector information from their own data, which is seen to have a higher confidence level. Further, Lee stated that some of the samples were already known to the public, so if they were classified, “it is a perfect example of over classification by government bureaucracy.”

“The DHS/FBI GRIZZLY STEPPE report does not meet its stated intent of helping network defenders and instead choose to focus on a confusing assortment of attribution, non-descriptive indicators, and re-hashed tradecraft,” Lee said. “Additionally, the bulk of the report (8 of the 13 pages) is general high level recommendations not descriptive of the RIS threats mentioned and with no linking to what activity would help with what aspect of the technical data covered. It simply serves as an advertisement of documents and programs the DHS is trying to support. One recommendation for Whitelisting Applications might as well read ‘whitelisting is good mm’kay?’”

Lee summed up that JAR appears to be very rushed, and put together by multiple teams working with different data sets and motivations, resulting in a very confusing non-explanation that tried to cover too much, while saying too little.

Hello,
!

We are committed to protecting your personal information and we have updated our Privacy Policy to comply with the General Data Protection Regulation (GDPR), a new EU regulation that went into effect on May 25, 2018.

Please review our Privacy Policy. It contains details about the types of data we collect, how we use it, and your data protection rights.

Since you already shared your personal data with us when you created your personal account, to continue using it, please check the box below:

I agree to the processing of my personal data for the purpose of creating a personal account on this site, in compliance with the Privacy Policy.

If you do not want us to continue processing your data, please click here to delete your account.

promotes the use of narcotic / psychotropic substances, provides information on their production and use;

contains links to viruses and malicious software;

is part of an organized action involving large volumes of comments with identical or similar content ("flash mob");

“floods” the discussion thread with a large number of incoherent or irrelevant messages;

violates etiquette, exhibiting any form of aggressive, humiliating or abusive behavior ("trolling");

doesn’t follow standard rules of the English language, for example, is typed fully or mostly in capital letters or isn’t broken down into sentences.

The administration has the right to block a user’s access to the page or delete a user’s account without notice if the user is in violation of these rules or if behavior indicating said violation is detected.